I am a Fellow
at Cisco Systems, where
I work in the Office of the CTO in the Security Business
Group. My current focus is the detection of advanced threats
and malware using network monitoring and analytic
techniques. I work to improve network and system security
through applied research, standards, and product
engineering, and connect the industry to research through
the University
Research Board.

This web page is not up to date; it is maintained only to provide preprints
and similar documents. For more up to date professional
information, please
visit
my page on LinkedIn. Needless to say, this web page represents
me, and does not represent my employer or any other organization.

I have worked in applied cryptography, with interests centered on
building practical security systems using cryptography, with an
emphasis on performance, scalability and deployability, as well as
cryptanalysis, the design of symmetric ciphers and message
authentication codes, and information theory. I was a founder and
co-chair of the IRTF Crypto Forum Research Group
as well as a member of
the International Association for
Cryptologic Research and
the Internet Society.

The
block cipher modes of operation that are widely used (CBC,
CTR, CFB) are secure up to the birthday bound; that is, if
w*2^w or fewer bits of data are encrypted with a w-bit block
cipher. However, the detailed security properties close to
this bound are not widely appreciated, despite the fact that
64-bit block ciphers are sometimes used in that domain. This
work addresses the issue by analyzing plaintext-recovery
attacks that are effective close to that bound. We describe
probable-plaintext attacks, which can learn unknown
plaintext values that are encrypted with CBC, CFB, or
OFB. We also introduce impossible plaintext cryptanalysis,
which can recover information encrypted with CTR, and can
improve attacks against the aforementioned modes as
well. These attacks work at the birthday bound, or even
slightly below that bound, when the target plaintext values
are encrypted under a succession of keys.

D. McGrew and S. Fluhrer, The Security of the Extended Codebook (XCB) Mode of Operation, Proceedings of the 14th Annual Workshop on Selected Areas in Cryptography, Springer, 2007. Preprint available at the IACR eprint archive.

The XCB mode of operation was outlined in 2004 as a contribution
to the IEEE Security in Storage effort, but no security analysis
was provided. In this paper, we provide a proof of security for XCB, and
show that it is a secure tweakable (super) pseudorandom permutation.
Our analysis makes several new contributions: it uses an algebraic property
of XCBÕs internal universal hash function to simplify the proof, and
it defines a nonce mode in which XCB can be securely used even when the
plaintext is shorter than twice the width of the underlying block cipher.
We also show minor modifications that improve the performance of XCB
and make it easier to analyze. XCB is interesting because it is highly efficient
in both hardware and software, it has no alignment restrictions
on input lengths, it can be used in nonce mode, and it uses the internal
functions of the Galois/Counter Mode (GCM) of operation, which
facilitates design re-use and admits multi-purpose implementations.

Most secure routing proposals require the existence of
a global public-key infrastructure (PKI) to bind a public/private key-pair to a prefix, in order to authenticate
route originations of that prefix. A major difficulty in secure
routing deployment is the mutual dependency between the routing protocol and the establishment of a
globally trusted PKI for prefixes and ASes: cryptographic
mechanisms used to authenticate BGP Update messages
require a PKI, but without a secure routing infrastructure
in place, Internet registries and ISPs have little motivation
to invest in the development and deployment of this PKI.
This paper proposes a radically different mechanism
to resolve this dilemma: an evolutionary Grassroots-PKI
that bootstraps by letting any routing entity announce
self-signed certificates to claim their address space. Despite
the simple optimistic security of this initial stage, we
demonstrate how a Grassroots-PKI provides ASes with
strong incentives to evolve the infrastructure into a full
top-down hierarchical PKI, as proposed in secure routing
protocols like S-BGP. Central to the Grassroots-PKI concept
is an attack recovery mechanism that by its very nature
moves the system closer to a global PKI. This admittedly
controversial proposal offers a rapid and incentive-compatible
approach to achieving a global routing PKI.

The Galois/Counter Mode (GCM) of operation
can be used as an incremental message authentication code (MAC); in this respect, it is unique among the crypto
algorithms used in practice. We show that it has this property, and show how to use it as an incremental MAC.
These MACs have great utility for protecting data at rest. In particular, they can be used to protect a large, dynamic
data set using only a small, constant amount of memory.

The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.

Abstract: We present and analyze attacks on additive
stream ciphers that rely on linear equations that hold with nontrivial
probability in plaintexts that are encrypted using distinct
keys. These attacks extend Biham's key collision attack and
Hellman's time memory tradeoff attack, and can be applied to any
additive stream cipher. We define linear redundancy to
characterize the vulnerability of a plaintext source to these
attacks.

We show that an additive stream cipher with an $n$-bit key has an
effective key size of $n-\min(l, \lg M)$ against the key collision
attack, and of $2n/3 + \lg (n/3) + \max(n-l,0)$ against the time
memory tradeoff attack, when the the attacker knows $l$ linear
equations over the plaintext and has $M$ ciphertexts encrypted with
$M$ distinct unknown secret keys.

Lastly, we analyze the IP, TCP, and UDP protocols and some typical
protocol constructs, and show that they contain significant linear
redundancy. We conclude with observations on the use of stream
ciphers for Internet security.

Abstract: The alleged RC4 keystream generator is examined, and a
method of explicitly computing digraph probabilities is given.
Using this method, we demonstrate a method for distinguishing 8-bit
RC4 from randomness. Our method requires less keystream output
than currently published attacks, requiring only $2^{30.6}$ bytes of
output. In addition, we observe that an attacker can, on
occasion, determine portions of the internal state with nontrivial
probability. However, we are currently unable to extend this
observation to a full attack.

Abstract: We present and analyze a new algorithm for establishing
shared cryptographic keys in large, dynamically changing groups.
Our algorithm is based on a novel application of one-way function
trees. In comparison with previously published methods, our
algorithm achieves a new minimum in the number of bits that need to
be broadcast to members in order to re-key after a member is added
or evicted. The number of keys stored by group members, the number
of keys broadcast to the group when new members are added or
evicted, and the computational efforts of group members, are
logarithmic in the number of group members. Our algorithm provides
complete forwards and backwards security: newly admitted group
members cannot read previous messages, and evicted members cannot
read future messages, even with collusion by arbitrary many evicted
members.

This algorithm offers a new scalable method for establishing group
session keys for secure large-group applications such as electronic
conferences, multicast sessions, and military command and control.

Works in Progress

We describe a block cipher mode of operation that implements a `tweakable' (super) pseudorandom permutation with an arbitrary block length. This mode can be used to provide the best possible security in systems that cannot allow data expansion, such as disk-block encryption and some network protocols. The mode accepts an additional input, which can be used to protect against attacks that manipulate the ciphertext by rearranging the ciphertext blocks.

Our mode is similar to a five-round Luby-Rackoff cipher in which the first and last rounds do not use the conventional Feistel structure, but instead use a single block cipher invocation. The third round is a Feistel structure using counter mode as a PRF. The second and fourth rounds are Feistel structures using a universal hash function; we re-use the polynomial hash over a binary field defined in the Galois/Counter Mode (GCM) of operation for block ciphers. This choice provides efficiency in both hardware and software and allows for re-use of implementation effort. XCB also has several useful properties: it accepts arbitrarily-sized plaintexts and associated data, including any plaintexts with lengths that are no smaller than the width of the block cipher.

Some message authentication codes (MACs) are vulnerable to multiple forgery attacks, in which an attacker can gain information that allows her to succeed in forging multiple message/tag pairs. This property was first noted in MACs based on universal hashing, such as the Galois/Counter Mode (GCM) of operation for block ciphers. However, we show that CBC-MAC and HMAC also have this property, and for some parameters are more vulnerable than GCM. We present multiple-forgery attacks against these algorithms, then analyze the security against these attacks by using the expected number of forgeries. We compare the different MACs using this measure.

Physics Publications

There is a remarkably close parallel between the problems of the physicist and those of the cryptographer. The system on which a message is enciphered corresponds to the laws of the universe, the intercepted messages to the evidence available, the keys for a day or a message to important constants which have yet to be determined. The correspondence is very close, but the subject matter of cryptography is very easily dealt with by discrete machinery, physics not so easily. Alan Turing, "Intelligent machinery." In: Bernhard Meltzer and Donald Michie (eds), Machine
Intelligence 5., p. 14.

We introduce an additional method to solve Schrodinger's equation for a free particle in an infinite well of
arbitrary shape (the Helmholtz equation with Dirichlet boundary conditions) , a problem of interest in the area
of quantum chaos. We expand the wave function in a basis of products of sine functions, then use the constraint
operator to contain the wave function to a region within the domain of the basis functions. In this manner, a
quantum billiard problem of arbitrary shape can be solved. Several methods exist to solve problems of this sort,
but as recent work reviewing these methods has shown, all have shortcomings. Our work represents a different
direction in the solution of these problems. Our method is different in that it provides a means of computing
an eigenbasis. It is also interesting from a physical standpoint in that it can represent the Hamiltonian of a
classically chaotic system in the basis of a classically regular system.

Most of the existing dynamical studies in one dimension on magnetic insulators have considered the simplest spin models with nearest-neighbor interactions. In real systems, however, it is possible that longer range interactions are not entirely negligible. It is expected that the inclusion of next-nearest-neighbor interactions between spins in one-dimensional spin models will introduce a multitude of new frequencies in addition to the ones already present in the dynamics that arises due to nearest-neighbor interactions. We first present an exact solution for the dynamical xx-spin-pair correlations in an Ising chain with both nearest- and next-nearest-neighbor interactions to confirm our expectation. We next show, via an approximate analytical calculation, that the dynamical zz-spin-pair correlations in the next-nearest-neighbor transverse Ising chain when plotted as a function of time is noticeably different with respect to the exactly solvable nearest-neighbor transverse Ising chain at T--> [infinity] when the next-nearest-neighbor interaction is >~ 1/2 of the magnitude of the nearest-neighbor interaction. The effects could be fairly subtle in the time domain representation and in the spectral function when these additional interactions are weak (i.e., <1/2 of the nearest-neighbor interaction magnitude). The general conclusions reached in this work are expected to be valid for other simple quantum spin models such as the XY and XXZ models in one dimension.

We study the problem of giant nuclear oscillations by performing self-consistent calculations in semiclassical approximation utilizing a multipole-multipole interaction of the Bohr-Mottelson type for quadrupole and octupole deformations. In all cases considered, we find regular motion of the collective coordinate, the multipole moment of deformation. This is in contradiction to the predictions of the wall formula and suggests that this type of one-body dissipation might not be realized in real nuclear systems. In addition, we find chaotic single particle motion in coexistence with the regular collective dynamics.

We study the conditions under which the nucleons inside a deformed nucleus can undergo chaotic motion. To do this we perform self-consistent calculations in semiclassical approximation utilizing a multipole-multipole interaction of the Bohr-Mottelson type for quadrupole and octupole deformations. For the case of harmonic and nonharmonic static potentials, we find that both multipole deformations lead to regular motion of the collective coordinate, the multipole moment of deformation. However, despite this regular collective motion, we observe chaotic single-particle dynamics.

This document describes the Secure Real-time Transport Protocol
(SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP).

libSRTP is an open-source reference implementation of Secure RTP, which is available on sourceforge.

SRTP Encrypted Key Transport (EKT) is an extension to SRTP that provides for the secure transport of SRTP master keys, Rollover Counters, and other information, within SRTCP. This facility enables SRTP to work for decentralized conferences with minimal control, and
to handle situations caused by early media.

This memo describes the use of the Advanced Encryption Standard (AES) with 192 and 256 bit keys within the Secure RTP protocol. It defines Counter Mode encryption for SRTP and SRTCP and a new SRTP Key Derivation Function (KDF) for AES-192 and AES-256.

This document defines how AES-GCM, AES-CCM, and other Authenticated Encryption with Associated Data (AEAD) algorithms, can be used to provide confidentiality and data authentication mechanisms in the SRTP protocol.

Galois/Counter Mode (GCM) is a block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption. It can be implemented in hardware to achieve high speeds with low cost and low latency. Software implementations can achieve excellent performance by using table-driven field operations. It uses mechanisms that are supported by a well-understood theoretical foundation, and its security follows from a single reasonable assumption about the security of the block cipher.

This memo describes the use of the Advanced Encryption Standard (AES)
in Galois/Counter Mode (GCM) as an IPsec Encapsulating Security
Payload (ESP) mechanism to provide confidentiality and data origin
authentication. This method can be efficiently implemented in
hardware for speeds of 10 gigabits per second and above, and is also well-suited to software implementations.

This memo describes the use of the Advanced Encryption Standard (AES)
Galois Message Authentication Code (GMAC) as a mechanism to provide
data origin authentication, but not confidentiality, within the IPsec
Encapsulating Security Payload (ESP) and Authentication Header (AH).
GMAC is based on the Galois/Counter Mode (GCM) of operation, and can
be efficiently implemented in hardware for speeds of 10 gigabits per
second and above, and is also well-suited to software
implementations.

Threshold Secret Sharing

Threshold secret sharing (TSS) provides a way to generate N shares from a value, so that any M of those shares can be used to reconstruct the original value, but any M-1 shares provide no information about that value. This method can provide shared access control on key material and other secrets that must be strongly protected.

This note defines a threshold secret sharing method based on polynomial interpolation in GF(256) and a format for the storage and transmission of shares. It also provides usage guidance, describes
how to test an implementation, and supplies test cases.

Abstract: This paper specifies the synchronous stream cipher LEVIATHAN, and provides the supporting documentation for the NESSIE standardization process. The design of this cipher enables it to efficiently seek to arbitrary locations in its keystream, despite the fact that its state transition functions are nonlinear. The cipher is designed for high throughput on general purpose processors.

Canst thou draw out leviathan with a hook? (Job 41:1) Perhaps not, but Paul Crowley and Stefan Lucks published an analysis of the Bias in the LEVIATHAN stream cipher at the April, 2001 Fast Software Encryption Workshop. This work shows that bias can be observed with 2^36 bytes of output, and presents two distinguishers.

A relatively simple addition to the cipher is believed to eliminate this bias. However, the updated specification has not yet been published.

Counter mode is a block cipher mode of operation of considerable
interest, especially for use with AES. It is known to have good
security properties, can be implemented using parallelism or
pipelining, can be implemented using predictive strategies for
keystream generation, has zero plaintext expansion (ciphertext that is
the same length as the plaintext), does not propagate bit errors
during decryption. Additionally, it has recently been added to NIST's
list of approved modes.

Secure RTP defines a counter mode variant in Section 4.1.1. This
mode was chosen because it provides high security, has ciphertext that
is no larger than the corresponding plaintext, it does not propagate
bit errors on decryption.

Integer Counter Mode,
draft-mcgrew-saag-icm-00.txt.
Individual submission to the IETF Security Area Advisory Group (SAAG).
This draft defines a counter mode variant that is flexible enough to
be applied to distinct application domains. Please note that this
variant is not interoperable with that specified in the
old Stream Cipher ESP document. This draft has expired and has not been resubmitted.

The Truncated Multi-Modular Hash (TMMH) is a derivative of MMH which provides universal hashing for use in a Carter-Wegman message authentication code.

TMMH Version Two is specified in draft-mcgrew-saag-tmmh-02.txt. See the Revision History section for a list of changes from the initial version.This draft has expired and has not been resubmitted.

The Universal Security Transform (UST)

UST is a data transform which provides confidentiality and message authentication by using a universal hash function (such as TMMH) with a segmented stream cipher (such as AES Counter Mode). It is specified in draft draft-mcgrew-saag-ust-00.txt. This transform is well optimized for protecting packet flows, minimizing computational cost and storage requirements while providing strong security.
A previous draft describing UST was called draft-mcgrew-saag-sst-00.txt; the name was changed to avoid a potential trademark infringement.

This draft has expired and has not been resubmitted. Please see GCM, which follows the same framework and has the same benefits (though GCM is a block cipher mode, and will not work with an arbitrary pseudorandom function).

The Stream Cipher Encapsulating Security Payload (SC/ESP)

Individual submission to the IETF IPsec Working Group,
draft-mcgrew-ipsec-scesp-02.txt. IETF Internet Draft, November,
2000. This is joint work with Scott Fluhrer and Cheryl Madson. This draft has expired and has not been resubmitted.

Revision History

draft-mcgrew-ipsec-scesp-02.txt Added a section on Counter
Mode, and a subsection on the security analysis of that
cipher. Minor clarifications added.

draft-mcgrew-ipsec-scesp-01.txt Changed a MAY to a MUST
based on feedback from the presentation at the Pittsburgh IETF. Minor clarifications added.

draft-mcgrew-ipsec-scesp-00.txt - Original version.

The SEAL ESP is a specialization of SC/ESP; it is implemented in Cisco IOS. The SEAL cipher is described by a paper in the Journal of Cryptology that is also available online.

Patents

Stream cipher encryption method and apparatus that can efficiently seek to arbitrary locations in a key stream. United States Patent 6,862,354. David McGrew, Scott Fluhrer. March 1, 2005. Assigned to Cisco Systems, Inc.

Publicly verifiable key recovery. United States Patent 6,249,585. David McGrew, David Carman. June 19, 2001. Assigned to Network Associates, Inc.

This site includes publicly available encryption source code which,
together with object code resulting from the compiling of publicly
available source code, may be exported from the United States under
License Exception "TSU" pursuant to 15 C.F.R. Section
740.13(e).

libSRTP, an open source reference implementation of Secure RTP, is online at sourceforge.net. This work implements SRTP in a portable C library with a documented API.

The libsrtp distribution is a .tgz file containing C source code. The README file describes how to build the library and run the test driver and example programs. The API is described in the document libSRTP Overview and Documentation , which is included in the distribution as doc/libsrtp.pdf and is also available online.

The
Crypto Forum Research Group
(CFRG) is an Internet Research Task Force (IRTF) group for
the discussion and review of cryptographic mechanisms for network
security in general and for the IETF in particular. The group
provides a forum where cryptographers, network security experts, and
protocol designers can exchange ideas and investigate ways for using
new cryptographic developments in the future Internet.

Wireless LAN Security: The Bluetooth Specification. This spec contains an LFSR based cipher called `E0' (which is a
variant of a summation generator) in section 14.3.4. Source code
for this cipher is available online here.